Technologies for secure i/o with memory encryption engines

ABSTRACT

Technologies for secure I/O data transfer include a computing device having a processor and an accelerator. Each of the processor and the accelerator includes a memory encryption engine. The computing device configures both memory encryption engines with a shared encryption key and transfers encrypted data from a source component to a destination component via an I/O link. The source may be processor and the destination may be the accelerator or vice versa. The computing device may perform a cryptographic operation with one of the memory encryption engines and bypass the other memory encryption engine. The computing device may read encrypted data from a memory of the source, bypass the source memory encryption engine, and transfer the encrypted data to the destination. The destination may receive encrypted data, bypass the destination memory encryption engine, and store the encrypted data in a memory of the destination. Other embodiments are described and claimed.

CROSS-REFERENCE TO RELATED APPLICATION

The present application claims the benefit of U.S. Provisional PatentApplication No. 62/687,403, filed Jun. 20, 2018.

BACKGROUND

Current processors may provide support for a trusted executionenvironment such as a secure enclave. Secure enclaves include segmentsof memory (including code and/or data) protected by the processor fromunauthorized access including unauthorized reads and writes. Inparticular, certain processors may include Intel® Software GuardExtensions (SGX) to provide secure enclave support. In particular, SGXprovides confidentiality, integrity, and replay-protection to the secureenclave data while the data is resident in the platform memory and thusprovides protection against both software and hardware attacks. Theon-chip boundary forms a natural security boundary, where data and codemay be stored in cleartext and assumed to be secure. Intel® SGX does notprotect I/O data that moves across the on-chip boundary.

Modern computing devices may include general-purpose processor cores aswell as a variety of hardware accelerators for offloadingcompute-intensive workloads or performing specialized tasks. Hardwareaccelerators may include, for example, one or more field-programmablegate arrays (FPGAs), which may include programmable digital logicresources that may be configured by the end user or system integrator.Hardware accelerators may also include one or more application-specificintegrated circuits (ASICs). Hardware accelerators may be embodied asI/O devices that communicate with the processor core over an I/Ointerconnect.

Certain computing devices support total memory encryption to preventcertain hardware attacks. For example, platforms may include memoryencryption engines on the path to memory that encrypt or decrypt data asit moves to and from memory. Similar, certain I/O devices or othercomponents may include integrated link encryption that protects data asit travels over an I/O link. Thus, certain computing devices may performtwo encryption operations for certain data, for both memory encryptionand link encryption.

BRIEF DESCRIPTION OF THE DRAWINGS

The concepts described herein are illustrated by way of example and notby way of limitation in the accompanying figures. For simplicity andclarity of illustration, elements illustrated in the figures are notnecessarily drawn to scale. Where considered appropriate, referencelabels have been repeated among the figures to indicate corresponding oranalogous elements.

FIG. 1 is a simplified block diagram of at least one embodiment of acomputing device for secure I/O with memory encryption engines;

FIG. 2 is a simplified block diagram of at least one embodiment of anenvironment of the computing device of FIG. 1;

FIG. 3 is a simplified flow diagram of at least one embodiment of amethod for secure I/O transfers with memory encryption engines that maybe executed by the computing device of FIGS. 1-2;

FIG. 4 is a simplified flow diagram of at least one embodiment of amethod for source component transfers that may be executed by thecomputing device of FIGS. 1-2; and

FIG. 5 is a simplified flow diagram of at least one embodiment of amethod for destination component transfers that may be executed by thecomputing device of FIGS. 1-2.

DETAILED DESCRIPTION OF THE DRAWINGS

While the concepts of the present disclosure are susceptible to variousmodifications and alternative forms, specific embodiments thereof havebeen shown by way of example in the drawings and will be describedherein in detail. It should be understood, however, that there is nointent to limit the concepts of the present disclosure to the particularforms disclosed, but on the contrary, the intention is to cover allmodifications, equivalents, and alternatives consistent with the presentdisclosure and the appended claims.

References in the specification to “one embodiment,” “an embodiment,”“an illustrative embodiment,” etc., indicate that the embodimentdescribed may include a particular feature, structure, orcharacteristic, but every embodiment may or may not necessarily includethat particular feature, structure, or characteristic. Moreover, suchphrases are not necessarily referring to the same embodiment. Further,when a particular feature, structure, or characteristic is described inconnection with an embodiment, it is submitted that it is within theknowledge of one skilled in the art to effect such feature, structure,or characteristic in connection with other embodiments whether or notexplicitly described. Additionally, it should be appreciated that itemsincluded in a list in the form of “at least one A, B, and C” can mean(A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and C).Similarly, items listed in the form of “at least one of A, B, or C” canmean (A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and C).

The disclosed embodiments may be implemented, in some cases, inhardware, firmware, software, or any combination thereof. The disclosedembodiments may also be implemented as instructions carried by or storedon a transitory or non-transitory machine-readable (e.g.,computer-readable) storage medium, which may be read and executed by oneor more processors. A machine-readable storage medium may be embodied asany storage device, mechanism, or other physical structure for storingor transmitting information in a form readable by a machine (e.g., avolatile or non-volatile memory, a media disc, or other media device).

In the drawings, some structural or method features may be shown inspecific arrangements and/or orderings. However, it should beappreciated that such specific arrangements and/or orderings may not berequired. Rather, in some embodiments, such features may be arranged ina different manner and/or order than shown in the illustrative figures.Additionally, the inclusion of a structural or method feature in aparticular figure is not meant to imply that such feature is required inall embodiments and, in some embodiments, may not be included or may becombined with other features.

Referring now to FIG. 1, a computing device 100 for secure I/O with anaccelerator device includes a processor 120 and an accelerator 134, suchas a field-programmable gate array (FPGA). Each of the processor 120 andthe accelerator 134 includes or otherwise uses a memory encryptionengine, such as a multi-key total memory encryption (MKTME) engine. Inuse, as described further below, the memory encryption engines of eachof the processor 120 and the accelerator 134 are programmed with ashared encryption key. Data is transferred between the processor 120 andthe accelerator 134 over an I/O link (e.g., a PCI Express (PCIe) link,an Intel Accelerator Link (IAL) link, or other physical link) that maybe exposed to physical attackers. To protect against physical attacks,the data transferred over the link is encrypted by the memory encryptionengines. The computing device 100 may bypass one of the memoryencryption engines of the processor 120 or the accelerator 134 in orderto avoid performing decryption and encryption of the same data twice orto otherwise improve performance. Additionally, although illustrated asprotecting data transferred between a processor 120 and an accelerator134, it should be understood that the technologies disclosed herein mayprotect any I/O link between components with memory encryption engines.Thus, the computing device 100 may protect data transferred over an I/Olink efficiently, without performing multiple encryption/decryptionoperations on the same data. For example, the computing device 100 maysave at least one encryption and one decryption operation per datatransfer as compared to typical systems that perform separate memoryencryption and link encryption operations. Furthermore, by bypassing amemory encryption engine, the computing device 100 may avoidtransmitting cryptographic tweak information over the I/O link, whichmay reduce bandwidth usage. Additionally, by performing link encryptionusing the memory encryption engines, the link encryption does not needto be performed by application software. Thus, the computing device 100may improve performance/power consumption and/or reduce processorutilization by removing certain cryptographic operations from software.

The computing device 100 may be embodied as any type of device capableof performing the functions described herein. For example, the computingdevice 100 may be embodied as, without limitation, a computer, a laptopcomputer, a tablet computer, a notebook computer, a mobile computingdevice, a smartphone, a wearable computing device, a multiprocessorsystem, a server, a workstation, and/or a consumer electronic device. Asshown in FIG. 1, the illustrative computing device 100 includes aprocessor 120, an I/O subsystem 124, a memory 128, and a data storagedevice 130. Additionally, in some embodiments, one or more of theillustrative components may be incorporated in, or otherwise form aportion of, another component. For example, the memory 128, or portionsthereof, may be incorporated in the processor 120 in some embodiments.

The processor 120 may be embodied as any type of processor capable ofperforming the functions described herein. For example, the processor120 may be embodied as a single or multi-core processor(s), digitalsignal processor, microcontroller, or other processor orprocessing/controlling circuit. As shown, the processor 120illustratively includes secure enclave support 122, which allows theprocessor 120 to establish a trusted execution environment known as asecure enclave, in which executing code may be measured, verified,and/or otherwise determined to be authentic. Additionally, code and dataincluded in the secure enclave may be encrypted or otherwise protectedfrom being accessed by code executing outside of the secure enclave. Forexample, code and data included in the secure enclave may be protectedby hardware protection mechanisms of the processor 120 while beingexecuted or while being stored in certain protected cache memory of theprocessor 120. The code and data included in the secure enclave may beencrypted when stored in a shared cache or the main memory 128. Thesecure enclave support 122 may be embodied as a set of processorinstruction extensions that allows the processor 120 to establish one ormore secure enclaves in the memory 128. For example, the secure enclavesupport 122 may be embodied as Intel® Software Guard Extensions (SGX)technology.

The memory 128 may be embodied as any type of volatile or non-volatilememory or data storage capable of performing the functions describedherein. In operation, the memory 128 may store various data and softwareused during operation of the computing device 100 such as operatingsystems, applications, programs, libraries, and drivers. As shown, thememory 128 is coupled to the processor 120 and/or the I/O subsystem 124via a multi-key total memory encryption engine (MKTME) 126, which may beincluded in or otherwise coupled to a memory controller, integratedmemory controller hub, or other memory interface. The MKTME 126 allowsthe computing device 100 to transparently encrypt the contents of thememory 128. The MKTME 126 maintains a table or other internal, protectedstructure with multiple encryption keys, which are used to encrypt anddecrypt data as it is stored to and read from the memory 128,respectively. The encryption keys are illustratively 128-bit AES XTSkeys although may be embodied as any symmetric, asymmetric, or otherencryption key. The encryption key may be selected by the MKTME 126 on aper-page basis, for example based on a key identifier included in one ormore otherwise unused upper bits of the physical memory page address fora particular memory access. In those embodiments, an operating system,virtual memory monitor, or other supervisory component of the computingdevice 100 may control access to particular memory pages by configuringone or more page tables and/or extended page tables with the appropriatekey identifiers. MKTME keys may be generated by the MKTME 126, in whichcase they are not disclosed outside of the SoC, or may be supplied bysoftware. In some embodiments, the MKTME 126 may include support forIntel Trusted Domain Extensions (TDX). With TDX, the MKTME 126 mayaccept an external “domain” key, also called a “user” or “tenant” key.The MKTME 126 may also use a default key that is self-generated toprotect memory used by MKTME and Intel SGX as well as Intel TDX.Although illustrated as coupled between the memory 128 and the processor120 and I/O subsystem 124, it should be understood that in someembodiments, the MKTME 126 may be included in the processor 120, in theI/O subsystem 124, or other component of the computing device 100.

As shown, the processor 120 is communicatively coupled to the I/Osubsystem 124, which may be embodied as circuitry and/or components tofacilitate input/output operations with the processor 120, the memory128, and other components of the computing device 100.

For example, the I/O subsystem 124 may be embodied as, or otherwiseinclude, memory controller hubs, input/output control hubs, sensor hubs,host controllers, firmware devices, communication links (i.e.,point-to-point links, bus links, wires, cables, light guides, printedcircuit board traces, etc.) and/or other components and subsystems tofacilitate the input/output operations. As shown, the memory 128 may bedirectly coupled to the processor 120, for example via an integratedmemory controller hub. Additionally, in some embodiments, the I/Osubsystem 124 may form a portion of a system-on-a-chip (SoC) and beincorporated, along with the processor 120, the memory 128, theaccelerator 134, and/or other components of the computing device 100, ona single integrated circuit chip. Additionally or alternatively, in someembodiments the processor 120 may include an integrated memorycontroller and a system agent, which may be embodied as a logic block inwhich data traffic from processor cores and I/O devices converges beforebeing sent to the memory 128.

The data storage device 130 may be embodied as any type of device ordevices configured for short-term or long-term storage of data such as,for example, memory devices and circuits, memory cards, hard diskdrives, solid-state drives, non-volatile flash memory, or other datastorage devices. The computing device 100 may also include acommunications subsystem 132, which may be embodied as any communicationcircuit, device, or collection thereof, capable of enablingcommunications between the computing device 100 and other remote devicesover a computer network (not shown). The communications subsystem 132may be configured to use any one or more communication technology (e.g.,wired or wireless communications) and associated protocols (e.g.,Ethernet, Bluetooth®, WiMAX, 3G, 4G LTE, etc.) to effect suchcommunication.

The accelerator 134 may be embodied as a field-programmable gate array(FPGA), an application-specific integrated circuit (ASIC), a graphicsprocessor unit (GPU), a coprocessor, an I/O device, or other digitallogic device capable of performing accelerated functions (e.g.,accelerated application functions, accelerated network functions, orother accelerated functions). Illustratively, the accelerator 134 is anFPGA, which may be embodied as an integrated circuit includingprogrammable digital logic resources that may be configured aftermanufacture. The FPGA may include, for example, a configurable array oflogic blocks in communication over a configurable data interchange.

As shown, the illustrative accelerator 134 also includes an MKTME 136.Similar to the MKTME 126, the MKTME 136 allows the accelerator 134 totransparently encrypt the contents of a memory 138 coupled to theaccelerator 134. Accordingly, the description of the MKTME 126 is alsoapplicable to the MKTME 136 and is not repeated. The memory 138 whichmay be embodied as an internal or external DRAM, VRAM, or other memorycoupled to the accelerator 134. Similar to the memory 128, the contentsof the memory 138 are transparently encrypted, which may prevent certainhardware attacks. In some embodiments, the memory 128 and the memory 138may be included in a unified address space.

As shown, the computing device 100 may further include one or moreperipheral devices 140. The peripheral devices 140 may include anynumber of additional input/output devices, interface devices, hardwareaccelerators, and/or other peripheral devices. For example, in someembodiments, the peripheral devices 140 may include a touch screen,graphics circuitry, a graphical processing unit (GPU) and/or processorgraphics, an audio device, a microphone, a camera, a keyboard, a mouse,a network interface, and/or other input/output devices, interfacedevices, and/or peripheral devices.

As shown in FIG. 1, the accelerator 134 may be coupled to the processor120 via a link 142, which may be embodied as a high-speed connectioninterface such as a peripheral bus (e.g., a PCI Express bus or an IntelAccelerator Link (IAL) bus (e.g., IAL.io or IAL.mem)) or aninter-processor interconnect (e.g., an in-die interconnect (IDI) orQuickPath Interconect (QPI)), or any other appropriate interconnect. Thelink 142 may include one or more buses, point-to-point links, lanes,switches, or other board-level components. Thus, data transferred incleartext over the link 142 may be vulnerable to certain physicalattacks.

Referring now to FIG. 2, in an illustrative embodiment, the computingdevice 100 establishes an environment 200 during operation. Theillustrative environment 200 includes a transfer manager 202, bypasscontrol logic 204, a source 206 including a memory encryption engine208, and a destination 214 including a memory encryption engine 216. Thevarious components of the environment 200 may be embodied as hardware,firmware, software, or a combination thereof. As such, in someembodiments, one or more of the components of the environment 200 may beembodied as circuitry or collection of electrical devices (e.g.,transfer manager circuitry 202, bypass control logic circuitry 204,and/or memory encryption engine circuitry 208, 216). It should beappreciated that, in such embodiments, one or more of the transfermanager circuitry 202, the bypass control logic circuitry 204, and/orthe memory encryption engine circuitry 208, 216 may form a portion ofthe processor 120, the I/O subsystem 124, the accelerator 134, the MKTME126, 136, and/or other components of the computing device 100.Additionally, in some embodiments, one or more of the illustrativecomponents may form a portion of another component and/or one or more ofthe illustrative components may be independent of one another.

The transfer manager 202 may be embodied as or otherwise include atrusted application, one or more secure enclaves established using thesecure enclave support 122, or other trusted execution environment. Thetransfer manager 202 is configured to configure the memory encryptionengines 208, 216 with a shared encryption key. The transfer manager 202is further configured to cause a transfer of encrypted data from thesource component 206 to the destination component 214 via an I/O linkbetween those components 206, 214 (e.g. the I/O link 142). The encrypteddata is encrypted with the shared encryption key.

The source 206 and the destination 214 may be embodied as any componentsof the computing device 100 connected by an I/O link, such as theprocessor 120 and the accelerator 134. In some embodiments, each of theprocessor 120 and the accelerator 134 may be capable of performing thefunctions of both the source 206 and the destination 214, depending onthe direction of data transferred over the I/O link. Accordingly, bothof the MKTME 126, 136 may be capable of performing the functions of bothmemory encryption engines 208, 216, depending on the direction of datatransfer. For example, for a transfer from the processor 120 to theaccelerator 134 over the I/O link 142, the source 206 may be embodied asthe processor 120, the memory encryption engine 208 may be embodied asthe MKTME 126, the destination 214 may be embodied as the accelerator134, and the memory encryption engine 216 may be embodied as the MKTME136. As another example, for a transfer from the accelerator 134 to theprocessor 120 over the I/O link 142, the source 206 may be embodied asthe accelerator 134, the memory encryption engine 208 may be embodied asthe MKTME 136, the destination 214 may be embodied as the processor 120,and the memory encryption engine 216 may be embodied as the MKTME 126.

As shown, each of the source 206 and the destination 214 includes acleartext memory 210, 218, respectively. The cleartext memory 210, 218may be embodied as any register, cache, private memory, or other memoryof the component 206, 214 that may securely store data in cleartext(i.e., not encrypted). The cleartext memory 210, 218 may be privatememory that is not addressable by the other components 214, 206 and notaccessible to physical attack, such as memory integrated into thecomponent 206, 214. The cleartext memory 210, 218 may also beaddressable memory that is protected from unauthorized access byhardware access control and is not accessible to physical attack, suchas cache or registers integrated into the component 206, 214. Forexample, the cleartext memory 210, 218 may be embodied as a register,register file, or cache of the processor 120. As another example, thecleartext memory 210, 218 may be embodied as one or more registers orprivate memory of the accelerator 134.

Additionally, each of the source 206 and the destination 214 are coupledto an encrypted memory 212, 220, respectively. The encrypted memory 212,220 may be embodied as any memory or other storage that is encrypted atrest to protect from certain hardware attacks, for example by the memoryencryption engines 208, 216. For example, the encrypted memory 212, 220may be embodied as the main memory 128 coupled to the processor 120 andprotected by the MKTME 126. As another example, the encrypted memory212, 220 may be embodied as the memory 138 coupled to the accelerator134 (e.g., DRAM or VRAM) and protected by the MKTME 136. As describedfurther below, data stored in the encrypted memory 212, 220 may beaddressable or otherwise accessible by both the source 206 and thedestination 214. In some embodiments, the encrypted memory 212, 220 maybe included in a unified address space.

The bypass control logic 204 is configured to determine whether tobypass either of the memory encryption engines 208, 216, and, if so, tobypass that memory encryption engine 208, 216. The bypass control logic204 may determine whether to bypass the memory encryption engines 208,216 based on a device configuration of the corresponding source 206 ordestination 214 and/or based on a memory address associated with atransfer of encrypted data. The bypass control logic 204 may determinewhether to bypass the memory encryption engines 208, 216 based onwhether the data source is the cleartext memory 210 or the encryptedmemory 212 and whether the data destination is the cleartext memory 218or the encrypted memory 220. The bypass control logic 204 may determinewhether to bypass the memory encryption engines 208, 216 based onwhether a source address tweak or a destination address tweak isavailable to the memory encryption engines 208, 216. The bypass controllogic 204 is configured to read encrypted data from the encrypted memory212 of the source 206 if the memory encryption engine 208 is bypassed.The bypass control logic 204 is configured to write encrypted data tothe encrypted memory 220 of the destination 214 if the memory encryptionengine 216 is bypassed.

Each of the memory encryption engines 208, 216 is configured to performa cryptographic operation (i.e., encryption or decryption) related toencrypted data transferred via the I/O link. The particular operationsperformed depend on the direction of transfer, the source anddestination memory locations (e.g., in private memory or addressablememory), and whether any of the memory encryption engines 208, 216 arebypassed.

The memory encryption engine 208 may be configured to read encrypteddata from an encrypted memory 212 coupled to the source 206, decrypt theencrypted data to recover cleartext data using the shared encryption keyand a tweak associated with the source 206 (e.g., a source address). Thememory encryption engine 208 may be configured to read cleartext datafrom a cleartext memory 210 of the source 206. The memory encryptionengine 208 may be configured to encrypt the cleartext data using theshared encryption key and a tweak associated with the destination 214(e.g., a destination address) or a tweak associated with the source 206(e.g., a source address).

The memory encryption engine 216 may be configured to decrypt encrypteddata received via the I/O link to recover cleartext data using theshared encryption key and a tweak associated with the source 206 (e.g.,a source address) or the destination 214 (e.g., a destination address).The memory encryption engine 216 may be configured to store thecleartext data in a cleartext memory 218 of the destination 214. Thememory encryption engine 216 may be further configured to encrypt thecleartext data using the shared encryption key and a tweak associatedwith the destination 214 and to store the encrypted data in an encryptedmemory 220 coupled to the destination 214.

Referring now to FIG. 3, in use, the computing device 100 may execute amethod 300 for secure I/O transfers with memory encryption engines. Itshould be appreciated that, in some embodiments, the operations of themethod 300 may be performed by one or more components of the environment200 of the computing device 100 as shown in FIG. 2. The method 300begins in block 302, in which the computing device 100 enumerates andactivates an appropriate one-way bypass mode (OWM) in the MKTME 126 andthe MKTME 136 of the accelerator 134. In the one-way mode, data maybypass the memory encryption engine 208, 216 on certain transactionsbetween components 206, 214 with compatible cryptographic capabilities.Trusted software may configure the memory encryption engines 208, 216 inthe one-way mode for compatible devices. For example, the OWM capabilityof the MKTME 126, 136 may be enumerated in a model-specific register ofthe processor 120 (e.g., IA32_TME_CAPABILITY) and activated by BIOS oranother firmware environment of the computing device 100. The OWM modemay be configured by software (e.g., driver software, operating systemsoftware, or other software), for example using a PFCONFIG instruction.Operation in the OWM may require compatible devices on either end of theI/O link (e.g., the MKTME 126, 136 on both ends of the link 142).Compatible devices may enable the OWM mode for transfers to or fromcertain devices or certain predetermined memory addresses or addressranges.

In block 304, the computing device 100 configures the MKTME 126 with anencryption key. The encryption key may be any appropriate encryption keythat is known by the processor 120 (e.g., by a trusted application orother trusted component) and the accelerator 134. For example, theencryption key may be embodied as a private key of a trust domain (TD)of the computing device 100. The encryption key may be securelyprogrammed to the MKTME 126 using one or more specialized processorinstructions, such as XBIND, PCONFIG.UNWRAP, and/or other instructions.The MKTME 126 may be configured by a trusted application or othertrusted component of the computing device 100. In block 306, thecomputing device 100 configures the MKTME 136 of the accelerator 134with the same encryption key as the MKTME 126. Similarly, the encryptionkey may be securely programmed to the MKTME 136 using one or morespecialized processor instructions, such as XBIND, PCONFIG.UNWRAP,and/or other instructions.

In block 308, the computing device 100 securely transfers data via theI/O link 142 between the processor 120 and the accelerator 134. Data maybe transferred in either direction (e.g., from the processor 120 to theaccelerator 134 or from the accelerator 134 to the processor 120). Insome embodiments, data transfers may be originated by either of theprocessor 120 or the accelerator 134. For example, the processor 120 mayoriginate a write to the accelerator 134 and originate a read from theaccelerator 134, and vice versa. The data transferred over the I/O link142 is encrypted using the shared encryption key and a tweak. The tweakmay be a source memory address or a destination memory address of thetransferred data, such as a host physical address or other address. Asdescribed further below, the MKTME 126, 136 are used to performcryptographic operations (e.g., encryption or decryption) on theencrypted data. One of the MKTME 126, 136 may be bypassed for certaintransfers (e.g., by reading or writing encrypted data directly withencrypted memory 128, 138). As described below, the particular MKTME126, 136 that is bypassed may depend on the originator of the datatransfer and whether an appropriate tweak is available at each MKTME126, 136.

In some embodiments, in block 310 the computing device 100 may transferdata from a source cleartext memory 210 to a destination encryptedmemory 220. As described above, the source cleartext memory 210 may beembodied as any memory of the source component 206 (e.g., the processor120 or the accelerator 134) that stores data in cleartext, that is,without encryption. The destination encrypted memory 220 may be embodiedas any memory included in or coupled to the destination component 214(e.g., the memory 128 coupled to the processor 120 or the memory 138coupled to the accelerator 134) that stores encrypted data. During thetransfer, the computing device 100 may bypass the memory encryptionengine 216 of the destination 214 (e.g. one of the MKTME 126, 136).

In some embodiments, in block 312 the computing device 100 may transferdata from an encrypted memory 212 of the source 206 to a cleartextmemory 218 of the destination 214. During the transfer, the computingdevice 100 may bypass the memory encryption engine 208 of the source 206(e.g. one of the MKTME 126, 136).

In some embodiments, in block 314, the computing device 100 may transferdata from an encrypted memory 212 of the source 206 to an encryptedmemory 220 of the destination 214. During the transfer, the computingdevice 100 may bypass the memory encryption engine 208, 216 of eitherthe source 206 or the destination 214 (e.g. one of the MKTME 126, 136).The memory encryption engine 208, 216 of the other component may performtwo cryptographic operations (e.g., to decrypt and then re-encrypt withthe correct tweak).

In some embodiments, in block 316, the computing device 100 may transferdata from a cleartext memory 210 of the source 206 to a cleartext memory218 of the destination 214. During the transfer, the computing device100 may perform one cryptographic operation with each memory encryptionengine 208, 216 of the source 206 and the destination 214 (e.g., each ofthe MKTME 126, 136). Encrypted data transferred over the I/O link isthus protected using the memory encryption engines 208, 216. Afterperforming the transfer, the method 300 loops back to block 308 tocontinue transferring encrypted data.

Referring now to FIG. 4, in use, the computing device 100 may execute amethod 400 for source component transfers. It should be appreciatedthat, in some embodiments, the operations of the method 400 may beperformed by one or more components of the environment 200 of thecomputing device 100 as shown in FIG. 2, such as the source 206 (e.g.,the processor 120 or the accelerator 134, depending on the direction ofthe transfer). The method 400 begins in block 402, in which the source206 determines whether a memory read is from a cleartext memory 210 ofthe source 206 or from an encrypted memory 212 of the source 206. Thememory read may identify an address, register name, or other location asa source of data to be transferred. As described above, the cleartextmemory 210 may be embodied as any register, cache, private memory, orother memory of the source 206 (e.g., the processor 120 or theaccelerator 134) that may securely store data in cleartext (i.e., notencrypted). The encrypted memory 212 may be embodied as any memory orother storage coupled to the source 206 that is encrypted at rest toprotect from certain hardware attacks (e.g., the memory 128 coupled tothe processor 120 or the memory 138 coupled to the accelerator 134). Inblock 404 the source 206 checks whether the read is from cleartextmemory 210 or encrypted memory 212. If the read is from encrypted memory212, the method 400 branches to block 416, described below. If the readis from cleartext memory 210, the method 400 branches to block 406.

In block 406, the memory encryption engine 208 reads cleartext data fromthe cleartext memory 210 of the source 206. The memory encryption engine208 may, for example, read the cleartext data from an internal bus, dataport, secure fabric, sideband network, or other secure interface betweenthe memory encryption engine 208 and the cleartext memory 210. Routingcontrol may prevent cleartext data traveling from the cleartext memory210 to the destination 214 without first passing through the memoryencryption engine 208. Only certain unsecure (legacy) transfers maytravel in cleartext from the cleartext memory 210 over an I/O link.

In block 408, the memory encryption engine 208 determines whether adestination address tweak is available for the data transfer. The tweakmay be embodied as, for example, a host physical address for theencrypted data in the encrypted memory 220 of the destination 214.Whether the destination tweak is known by the memory encryption engine208 of the source 206 may depend on the originator of the data transferrelative to the source 206 and the destination 214, for example whetherthe operation is a “read” or a “write” from the perspective of thesource 206 and the destination 214. For example, if the data transfer isa “write” (originated by the source 206), the source 206 may know thedestination address tweak. If the transfer is a “read” (originated bythe destination 214), the source 206 may not know any destinationaddress associated with the transfer.

If the destination address tweak is available, the method 400 branchesto block 410, in which the memory encryption engine 208 encrypts thecleartext data using the shared encryption key and the destinationaddress tweak. After encrypting the data, the method 400 advances toblock 414, in which the source 206 transfers encrypted data over the I/Olink 142 to the destination 214 (e.g., to the processor 120 or theaccelerator 134). The encrypted data may be transferred with amemory-mapped I/O (MMIO) transaction, a direct memory access (DMA)transaction, or other data transfer. As described further below inconnection with FIG. 5, the destination memory encryption engine 216 maydecrypt the encrypted data, or the destination memory encryption engine216 may be bypassed. After transferring the encrypted data, the method400 loops back to block 402 to continue processing data transfers.

Referring back to block 408, if the destination address tweak is notavailable, then the method 400 branches to block 412, in which thememory encryption engine 208 encrypts the cleartext data using theshared encryption key and a source address tweak. After encrypting thedata, the method 400 advances to block 414 to transfer the encrypteddata over the I/O link 142 to the destination 214 as described above.After transferring the encrypted data, the method 400 loops back toblock 402 to continue processing data transfers.

Referring back to block 404, if the read is from encrypted memory 212,the method 400 branches to block 416, in which the source 206 readsencrypted data from the encrypted memory 212. The source 206 may readthe encrypted data from a memory controller, memory bus, data port,secure fabric, sideband network, or other communication link between thememory encryption engine 208 and the encrypted memory 212.

In block 418, the source 206 determines whether to bypass the memoryencryption engine 208. The determination of whether to bypass the memoryencryption engine 208 may depend on which of the source 206 and/or thedestination 214 knows the source address tweak and/or destinationaddress tweak associated with the data transfer. As described above,whether the source or destination tweak is available to the source 206or destination 214 may depend on the originator of the data transferrelative to the source 206 and the destination 214. For example, for a“read,” the destination 214 may know the source address of the datatransfer, and thus the source memory encryption engine 208 may bebypassed. As another example, for a “write,” the source 206 may know thedestination address of the data transfer, and thus the destinationmemory encryption engine 216 may be bypassed. Accordingly, in someembodiments, the memory encryption engine 208 may be bypassed fortransfers from the encrypted memory 212 of the source 206 to cleartextmemory 218 of the destination 214, and the memory encryption engine 208may not be bypassed for transfers from the encrypted memory 212 of thesource 206 to encrypted memory 220 of the destination 214.

In block 420, the source 206 checks whether to bypass the memoryencryption engine 208. If so, the method 400 branches to block 414, inwhich the source 206 transfers encrypted data from the encrypted memory212 over the I/O link 142 to the destination 214, as described above.The memory encryption engine 208 is bypassed and does not performcryptographic operations on the encrypted data read from the encryptedmemory 212. The encrypted data may be decrypted by the destination 214using the shared key and a source address tweak as described below inconnection with FIG. 5. After transferring the encrypted data, themethod 400 loops back to block 402 to continue processing datatransfers.

Referring back to block 420, if the source 206 determines not to bypassthe memory encryption engine 208, the method 400 branches to block 422,in which the memory encryption engine 208 decrypts the encrypted datausing the shared encryption key and a source address tweak, whichrecovers cleartext data. The source address tweak may be embodied as,for example, a host physical address of the encrypted data in theencrypted memory 212. In block 424, the memory encryption engine 208encrypts the cleartext data using the shared encryption key and adestination address tweak. The tweak may be embodied as, for example, ahost physical address for the encrypted data in the encrypted memory 220of the destination 214. Additionally or alternatively, althoughillustrated as including a single memory encryption engine 208 thatperforms two cryptographic operations in blocks 422, 424, it should beunderstood that in some embodiments the source 206 may include twomemory encryption engines to perform those operations. After encryptingthe data, the method 400 advances to block 414, in which the source 206transfers encrypted data over the I/O link 142 to the destination 214,as described above. The encrypted data may be decrypted by thedestination 214 using the shared key and the destination address tweak,or decryption may be bypassed by the destination 214 as described belowin connection with FIG. 5. After transferring the encrypted data, themethod 400 loops back to block 402 to continue processing datatransfers.

Referring now to FIG. 5, in use, the computing device 100 may execute amethod 500 for destination component transfers. It should be appreciatedthat, in some embodiments, the operations of the method 500 may beperformed by one or more components of the environment 200 of thecomputing device 100 as shown in FIG. 2, such as the destination 214(e.g., the processor 120 or the accelerator 134). The method 500 beginsin block 502, in which the destination 214 receives encrypted data overthe I/O link 142 from the source 206. As described above in connectionwith FIG. 4, the encrypted data is encrypted with an encryption keyshared by the source 206 and the destination 214 and a tweak. The tweakmay be a source address tweak, for example when the memory encryptionengine 208 of the source 206 was bypassed, or may be a destinationaddress tweak. The encrypted data may be included in a memory-mapped I/Otransaction, a direct memory access (DMA) transaction, or other datatransfer.

In block 504, the destination 214 determines whether the memory transferis a write to a cleartext memory 218 of the destination 214 or to anencrypted memory 220 of the destination 214. As described above, thecleartext memory 218 may be embodied as any register, cache, privatememory, or other memory of the destination 214 (e.g., the processor 120or the accelerator 134) that may securely store data in cleartext (i.e.,not encrypted). The encrypted memory 220 may be embodied as any memoryor other storage coupled to the destination 214 that is encrypted atrest to protect from certain hardware attacks (e.g., the memory 128coupled to the processor 120 or the memory 138 coupled to theaccelerator 134). In block 506 the destination 214 checks whether thewrite is to cleartext memory 218 or to encrypted memory 220. If thewrite is to encrypted memory 220, the method 500 branches to block 516,described below. If the write is to cleartext memory 218, the method 500branches to block 508.

In block 508, the memory encryption engine 216 determines whether asource address tweak is available for the data transfer. The tweak maybe embodied as, for example, a host physical address for the encrypteddata in the encrypted memory 212 of the source 206. Whether the sourcetweak is known by the memory encryption engine 216 of the destination214 may depend on the originator of the data transfer relative to thesource 206 and the destination 214, for example whether the operation isa “read” or a “write” from the perspective of the source 206 and thedestination 214. For example, if the data transfer is a “write”(originated by the source 206), the destination 214 may not know thesource address tweak. If the transfer is a “read” (originated by thedestination 214), the destination 214 may know the source addressassociated with the transfer.

If the source address tweak is available, the method 500 branches toblock 510, in which the memory encryption engine 216 decrypts theencrypted data using the shared encryption key and the source addresstweak, which recovers cleartext data. For example, the source addresstweak may be a host physical address for the encrypted memory at thesource 206. The source tweak may be used when the memory encryptionengine 208 is bypassed and the encrypted data is read directly from theencrypted memory 212, which may save at least one encryption and onedecryption operation as compared to not bypassing the memory encryptionengine 208. As another example, the source tweak may be used if the dataoriginates from cleartext memory 210 at the source 206 and is encryptedby the memory encryption engine 208 with the source tweak to providelink encryption. After decrypting the data, the method 500 advances toblock 514, described below.

Referring back to block 508, if the source address tweak is notavailable, the method 500 branches to block 512, in which the memoryencryption engine 216 decrypts the encrypted data using the sharedencryption key and a destination address tweak, such as a host physicaladdress for the encrypted memory at the destination 214. For example,the destination tweak may be used if the data originates from cleartextmemory 210 at the source 206 but is encrypted by the memory encryptionengine 208 with the destination tweak to provide link encryption. Afterdecrypting the data, the method 500 advances to block 514.

In block 514, after decryption, the memory encryption engine 216forwards the cleartext data to cleartext memory 218 of the destination214 (e.g., the processor 120 or the accelerator 134). The cleartext datamay be provided to a cache memory, a register, or another private memoryof the destination 214. The cleartext data is thus protected fromunauthorized disclosure to other components of the computing device 100.After being stored in the cleartext memory 218, an application executedby the computing device 100 may access the cleartext data withoutfurther decryption operations. For example, application softwareexecuted by the processor 120 may access cleartext data from one or moreregisters or cache of the processor 120. As another example, anapplication function unit or other part of the accelerator 134 mayaccess cleartext data from one or more registers or private memory ofthe accelerator 134. After forwarding the cleartext data, the method 500loops back to block 502 to process additional encrypted data transfers.

Referring back to block 506, if the write is to encrypted memory 220,the method 500 branches to block 516, in which the destination 214determines whether to bypass the memory encryption engine 216. Asdescribed above, the determination of whether to bypass the memoryencryption engine 216 may depend on which of the source 206 and/or thedestination 214 knows the source address tweak and/or destinationaddress tweak associated with the data transfer. As described above,whether the source or destination tweak is available to the source 206or destination 214 may depend on the originator of the data transferrelative to the source 206 and the destination 214. For example, for a“read,” the destination 214 may know the source address of the datatransfer, and thus the source memory encryption engine 208 may bebypassed. As another example, for a “write,” the source 206 may know thedestination address of the data transfer, and thus the destinationmemory encryption engine 216 may be bypassed. Accordingly, in someembodiments, the memory encryption engine 216 may not be bypassed fortransfers from the encrypted memory 212 of the source 206 to cleartextmemory 218 of the destination 214, and the memory encryption engine 216may be bypassed for transfers from the encrypted memory 212 of thesource 206 to encrypted memory 220 of the destination 214 (e.g., DMAtransfers).

In block 518, the destination 214 checks whether to bypass the memoryencryption engine 216. If so, the method 500 branches to block 524, inwhich the destination 214 stores the encrypted data in the encryptedmemory 220 of the destination 214. The encrypted data may be stored in,for example, the memory 128 or the memory 138 coupled to the accelerator134. The encrypted data as stored is encrypted by the shared encryptionkey and a destination address tweak. Thus, the encryption was performedby the source memory encryption engine 208 with the destination addresstweak, which allowed bypass of the destination memory encryption engine216 and saved at least one encryption operation and one decryptionoperation. After the encrypted data is stored, the destination 214 mayaccess the encrypted data using the memory encryption engine 216 as intypical accesses to encrypted memory (e.g., using the MKTME 126, 136).After storing the encrypted data, the method 500 loops back to block 502to process additional encrypted data transfers.

Referring back to block 518, if the destination 214 determines not tobypass the memory encryption engine 216, the method 500 advances toblock 520. In block 520, the memory encryption engine 216 decrypts theencrypted data using the shared encryption key and a source addresstweak, which recovers the cleartext data. The source address tweak maybe embodied as, for example, a host physical address of the encrypteddata in an encrypted memory 212 of the source 206. By performingdecryption at the destination 214, the source 206 may have been able tobypass the memory encryption engine 208 as described above. In block522, the memory encryption engine 216 encrypts the cleartext data usingthe shared encryption key and a destination address tweak. The tweak maybe embodied as, for example, a host physical address for the encrypteddata in the encrypted memory 220 of the destination 214. Additionally oralternatively, although illustrated as including a single memoryencryption engine 216 that performs two cryptographic operations inblocks 520, 522, it should be understood that in some embodiments thedestination 214 may include two memory encryption engines to performthose operations. After encrypting the data, the method 500 advances toblock 524, in which the destination 214 stores the encrypted data in theencrypted memory 220 of the destination 214 as described above. Afterstoring the encrypted data, the method 500 loops back to block 502 toprocess additional encrypted data transfers.

It should be appreciated that, in some embodiments, the methods 300,400, and/or 500 may be embodied as various instructions stored on acomputer-readable media, which may be executed by the processor 120, theI/O subsystem 124, the accelerator 134, the MKTME 126, 136, and/or othercomponents of the computing device 100 to cause the computing device 100to perform the respective method 300, 400, and/or 500. Thecomputer-readable media may be embodied as any type of media capable ofbeing read by the computing device 100 including, but not limited to,the memory 128, the data storage device 130, firmware devices, othermemory or data storage devices of the computing device 100, portablemedia readable by a peripheral device 140 of the computing device 100,and/or other media.

EXAMPLES

Illustrative examples of the technologies disclosed herein are providedbelow. An embodiment of the technologies may include any one or more,and any combination of, the examples described below.

Example 1 includes a computing device for secure data transfer, thecomputing device comprising: a first memory encryption engine and asecond encryption engine; a transfer manager to (i) configure the firstmemory encryption engine and the second memory encryption engine with afirst encryption key and (ii) transfer encrypted data from a sourcecomponent to a destination component via an I/O link between the sourcecomponent and the destination component, wherein the encrypted data isencrypted with the first encryption key; and bypass control logic tobypass the second memory encryption engine; wherein the first memoryencryption engine is to perform a cryptographic operation related to theencrypted data using the first encryption key.

Example 2 includes the subject matter of Example 1, and wherein: thesource component comprises the first memory encryption engine; thedestination component comprises the second memory encryption engine; totransfer the encrypted data comprises to transfer the encrypted data inresponse to performance of the cryptographic operation; and to bypassthe second memory encryption engine comprises to bypass the secondmemory encryption engine in response to transfer of the encrypted data.

Example 3 includes the subject matter of any of Examples 1 and 2, andwherein: the first memory encryption engine is further to read cleartextdata from a cleartext memory of the source component; the bypass controllogic is further to store the encrypted data in an encrypted memorycoupled to the destination component in response to bypass of the secondmemory encryption engine; and to perform the cryptographic operationcomprises to encrypt the cleartext data using the first encryption keyand a tweak associated with the destination component in response to aread of the cleartext data.

Example 4 includes the subject matter of any of Examples 1-3, andwherein: the first memory encryption engine is further to (i) read theencrypted data from an encrypted memory coupled to the source componentand (ii) perform a second cryptographic operation related to theencrypted data using the first encryption key in response to performanceof the cryptographic operation; the bypass control logic is further tostore the encrypted data in an encrypted memory coupled to thedestination component in response to bypass of the second memoryencryption engine; to perform the cryptographic operation comprises todecrypt the encrypted data to recover cleartext data using the firstencryption key and a tweak associated with the source component inresponse to a read of the encrypted data; to perform the secondcryptographic operation comprises to encrypt the cleartext data usingthe first encryption key and a tweak associated with the destinationcomponent; and to transfer the encrypted data comprises to transfer theencrypted data in response to performance of the second cryptographicoperation.

Example 5 includes the subject matter of any of Examples 1-4, andwherein: the source component comprises the second memory encryptionengine; the destination component comprises the first memory encryptionengine; to transfer the encrypted data comprises to transfer theencrypted data in response to bypass of the second memory encryptionengine; and to perform the cryptographic operation comprises to performthe cryptographic operation in response to transfer of the encrypteddata.

Example 6 includes the subject matter of any of Examples 1-5, andwherein: the bypass control logic is to read the encrypted data from anencrypted memory coupled to the source component; the first memoryencryption engine is further to store cleartext data in a cleartextmemory of the destination component in response to performance of thecryptographic operation; to bypass the second memory encryption enginecomprises to bypass the second memory encryption engine in response to aread of the encrypted data; and to perform the cryptographic operationcomprises to decrypt the encrypted data to recover the cleartext datausing the first encryption key and a tweak associated with the sourcecomponent.

Example 7 includes the subject matter of any of Examples 1-6, andwherein: the bypass control logic is to read the encrypted data from anencrypted memory coupled to the source component; the first memoryencryption engine is to (i) perform a second cryptographic operationrelated to the encrypted data using the first encryption key in responseto performance of the cryptographic operation, and (ii) store theencrypted data in an encrypted memory coupled to the destinationcomponent in response to performance of the second cryptographicoperation; to bypass the second memory encryption engine comprises tobypass the second memory encryption engine in response to a read of theencrypted data; to perform the cryptographic operation comprises todecrypt the encrypted data to recover cleartext data using the firstencryption key and a tweak associated with the source component; and toperform the second cryptographic operation comprises to encrypt thecleartext data using the first encryption key and a tweak associatedwith the destination component.

Example 8 includes the subject matter of any of Examples 1-7, andwherein: the bypass control logic is to determine whether to bypass thesecond memory encryption engine; and the second memory encryption engineis to perform a second cryptographic operation related to the encrypteddata using the first encryption key in response to a determination notto bypass the second memory encryption engine; the source componentcomprises the first memory encryption engine; the destination componentcomprises the second memory encryption engine; and to transfer theencrypted data comprises to transfer the encrypted data in response toperformance of the cryptographic operation.

Example 9 includes the subject matter of any of Examples 1-8, andwherein: the first memory encryption engine is further to read cleartextdata from a cleartext memory of the source component; the second memoryencryption engine is further to store the cleartext data in a cleartextmemory of the destination component in response to performance of thesecond cryptographic operation; to perform the cryptographic operationcomprises to encrypt the cleartext data using the first encryption keyin response to a read of the cleartext data; and to perform the secondcryptographic operation comprises to decrypt the encrypted data torecover the cleartext data using the first encryption key.

Example 10 includes the subject matter of any of Examples 1-9, andwherein: to perform the cryptographic operation further comprises toencrypt the cleartext data using the first encryption key and a tweakassociated with the source component; and to perform the secondcryptographic operation comprises to decrypt the encrypted data usingthe first encryption key and the tweak associated with the sourcecomponent.

Example 11 includes the subject matter of any of Examples 1-10, andwherein: to perform the cryptographic operation further comprises toencrypt the cleartext data using the first encryption key and a tweakassociated with the destination component; and to perform the secondcryptographic operation comprises to decrypt the encrypted data usingthe first encryption key and the tweak associated with the destinationcomponent.

Example 12 includes the subject matter of any of Examples 1-11, andwherein: the bypass control logic is further to determine whether tobypass the second memory encryption engine; and to bypass the secondmemory encryption engine comprises to bypass the second memoryencryption engine in response to a determination to bypass the secondmemory encryption engine.

Example 13 includes the subject matter of any of Examples 1-12, andwherein to determine whether to bypass the second memory encryptionengine comprises to determine whether to bypass the second memoryencryption engine based on a device configuration of the sourcecomponent or a device configuration of the destination component.

Example 14 includes the subject matter of any of Examples 1-13, andwherein to determine whether to bypass the second memory encryptionengine comprises to determine whether to bypass the second memoryencryption engine based on a memory address associated with theencrypted data.

Example 15 includes the subject matter of any of Examples 1-14, andwherein to determine whether to bypass the second memory encryptionengine comprises to determine whether a tweak associated with theencrypted data is available to the first memory encryption engine.

Example 16 includes the subject matter of any of Examples 1-15, andwherein: the computing device comprises a processor and an accelerator,wherein the I/O link is coupled between the processor and theaccelerator; the source component comprises the processor or theaccelerator; the destination component comprises the processor or theaccelerator; the first memory encryption engine comprises a memoryencryption engine of the processor or a memory encryption engine of theaccelerator; and the second memory encryption engine comprises thememory encryption engine of the processor or the memory encryptionengine of the accelerator other than the first memory encryption engine.

Example 17 includes the subject matter of any of Examples 1-16, andwherein the I/O link comprises a PCI link or an accelerator device link.

Example 18 includes a method for secure data transfer, the methodcomprising: configuring, by a computing device, a first memoryencryption engine of the computing device and a second memory encryptionengine of the computing device with a first encryption key;transferring, by the computing device, encrypted data from a sourcecomponent to a destination component via an I/O link between the sourcecomponent and the destination component, wherein the encrypted data isencrypted with the first encryption key; performing, by the first memoryencryption engine, a cryptographic operation related to the encrypteddata using the first encryption key; and bypassing, by the computingdevice, the second memory encryption engine.

Example 19 includes the subject matter of Example 18, and wherein: thesource component comprises the first memory encryption engine; thedestination component comprises the second memory encryption engine;transferring the encrypted data comprises transferring the encrypteddata in response to performing the cryptographic operation; andbypassing the second memory encryption engine comprises bypassing thesecond memory encryption engine in response to transferring theencrypted data.

Example 20 includes the subject matter of any of Examples 18 and 19, andfurther comprising: reading, by the computing device, cleartext datafrom a cleartext memory of the source component; and storing, by thecomputing device, the encrypted data in an encrypted memory coupled tothe destination component in response to bypassing the second memoryencryption engine; wherein performing the cryptographic operationcomprises encrypting the cleartext data using the first encryption keyand a tweak associated with the destination component in response toreading the cleartext data.

Example 21 includes the subject matter of any of Examples 18-20, andfurther comprising: reading, by the computing device, the encrypted datafrom an encrypted memory coupled to the source component; performing, bythe first memory encryption engine, a second cryptographic operationrelated to the encrypted data using the first encryption key in responseto performing the cryptographic operation; and storing, by the computingdevice, the encrypted data in an encrypted memory coupled to thedestination component in response to bypassing the second memoryencryption engine; wherein performing the cryptographic operationcomprises decrypting the encrypted data to recover cleartext data usingthe first encryption key and a tweak associated with the sourcecomponent in response to reading the encrypted data; wherein performingthe second cryptographic operation comprises encrypting the cleartextdata using the first encryption key and a tweak associated with thedestination component; and wherein transferring the encrypted datacomprises transferring the encrypted data in response to performing thesecond cryptographic operation.

Example 22 includes the subject matter of any of Examples 18-21, andwherein: the source component comprises the second memory encryptionengine; the destination component comprises the first memory encryptionengine; transferring the encrypted data comprises transferring theencrypted data in response to bypassing the second memory encryptionengine; and performing the cryptographic operation comprises performingthe cryptographic operation in response to transferring the encrypteddata.

Example 23 includes the subject matter of any of Examples 18-22, andfurther comprising: reading, by the computing device, the encrypted datafrom an encrypted memory coupled to the source component; and storing,by the computing device, cleartext data in a cleartext memory of thedestination component in response to performing the cryptographicoperation; wherein bypassing the second memory encryption enginecomprises bypassing the second memory encryption engine in response toreading the encrypted data; and wherein performing the cryptographicoperation comprises decrypting the encrypted data to recover thecleartext data using the first encryption key and a tweak associatedwith the source component.

Example 24 includes the subject matter of any of Examples 18-23, andfurther comprising: reading, by the computing device, the encrypted datafrom an encrypted memory coupled to the source component; performing, bythe first memory encryption engine, a second cryptographic operationrelated to the encrypted data using the first encryption key in responseto performing the cryptographic operation; and storing, by the computingdevice, the encrypted data in an encrypted memory coupled to thedestination component in response to performing the second cryptographicoperation; wherein bypassing the second memory encryption enginecomprises bypassing the second memory encryption engine in response toreading the encrypted data; wherein performing the cryptographicoperation comprises decrypting the encrypted data to recover cleartextdata using the first encryption key and a tweak associated with thesource component; and wherein performing the second cryptographicoperation comprises encrypting the cleartext data using the firstencryption key and a tweak associated with the destination component.

Example 25 includes the subject matter of any of Examples 18-24, andfurther comprising: determining, by the computing device, whether tobypass the second memory encryption engine; and performing, by thesecond memory encryption engine, a second cryptographic operationrelated to the encrypted data using the first encryption key in responseto determining not to bypass the second memory encryption engine;wherein the source component comprises the first memory encryptionengine; wherein the destination component comprises the second memoryencryption engine; and wherein transferring the encrypted data comprisestransferring the encrypted data in response to performing thecryptographic operation.

Example 26 includes the subject matter of any of Examples 18-25, andfurther comprising: reading, by the computing device, cleartext datafrom a cleartext memory of the source component; and storing, by thecomputing device, the cleartext data in a cleartext memory of thedestination component in response to performing the second cryptographicoperation; wherein performing the cryptographic operation comprisesencrypting the cleartext data using the first encryption key in responseto reading the cleartext data; and wherein performing the secondcryptographic operation comprises decrypting the encrypted data torecover the cleartext data using the first encryption key.

Example 27 includes the subject matter of any of Examples 18-26, andwherein: performing the cryptographic operation further comprisesencrypting the cleartext data using the first encryption key and a tweakassociated with the source component; and performing the secondcryptographic operation comprises decrypting the encrypted data usingthe first encryption key and the tweak associated with the sourcecomponent.

Example 28 includes the subject matter of any of Examples 18-27, andwherein: performing the cryptographic operation further comprisesencrypting the cleartext data using the first encryption key and a tweakassociated with the destination component; and performing the secondcryptographic operation comprises decrypting the encrypted data usingthe first encryption key and the tweak associated with the destinationcomponent.

Example 29 includes the subject matter of any of Examples 18-28, andfurther comprising: determining, by the computing device, whether tobypass the second memory encryption engine; wherein bypassing the secondmemory encryption engine comprises bypassing the second memoryencryption engine in response to determining to bypass the second memoryencryption engine.

Example 30 includes the subject matter of any of Examples 18-29, andwherein determining whether to bypass the second memory encryptionengine comprises determining whether to bypass the second memoryencryption engine based on a device configuration of the sourcecomponent or a device configuration of the destination component.

Example 31 includes the subject matter of any of Examples 18-30, andwherein determining whether to bypass the second memory encryptionengine comprises determining whether to bypass the second memoryencryption engine based on a memory address associated with theencrypted data.

Example 32 includes the subject matter of any of Examples 18-31, andwherein determining whether to bypass the second memory encryptionengine comprises determining whether a tweak associated with theencrypted data is available to the first memory encryption engine.

Example 33 includes the subject matter of any of Examples 18-32, andwherein: the computing device comprises a processor and an accelerator,wherein the I/O link is coupled between the processor and theaccelerator; the source component comprises the processor or theaccelerator; the destination component comprises the processor or theaccelerator; the first memory encryption engine comprises a memoryencryption engine of the processor or a memory encryption engine of theaccelerator; and the second memory encryption engine comprises thememory encryption engine of the processor or the memory encryptionengine of the accelerator other than the first memory encryption engine.

Example 34 includes the subject matter of any of Examples 18-33, andwherein the I/O link comprises a PCI link or an accelerator device link.

Example 35 includes a computing device comprising: a processor; and amemory having stored therein a plurality of instructions that whenexecuted by the processor cause the computing device to perform themethod of any of Examples 18-34.

Example 36 includes one or more non-transitory, computer readablestorage media comprising a plurality of instructions stored thereon thatin response to being executed result in a computing device performingthe method of any of Examples 18-34.

Example 37 includes a computing device comprising means for performingthe method of any of Examples 18-34.

1. A computing device for secure data transfer, the computing devicecomprising: a first memory encryption engine and a second encryptionengine; a transfer manager to (i) configure the first memory encryptionengine and the second memory encryption engine with a first encryptionkey and (ii) transfer encrypted data from a source component to adestination component via an I/O link between the source component andthe destination component, wherein the encrypted data is encrypted withthe first encryption key; and bypass control logic to bypass the secondmemory encryption engine; wherein the first memory encryption engine isto perform a cryptographic operation related to the encrypted data usingthe first encryption key.
 2. The computing device of claim 1, wherein:the source component comprises the first memory encryption engine; thedestination component comprises the second memory encryption engine; totransfer the encrypted data comprises to transfer the encrypted data inresponse to performance of the cryptographic operation; and to bypassthe second memory encryption engine comprises to bypass the secondmemory encryption engine in response to transfer of the encrypted data.3. The computing device of claim 2, wherein: the first memory encryptionengine is further to read cleartext data from a cleartext memory of thesource component; the bypass control logic is further to store theencrypted data in an encrypted memory coupled to the destinationcomponent in response to bypass of the second memory encryption engine;and to perform the cryptographic operation comprises to encrypt thecleartext data using the first encryption key and a tweak associatedwith the destination component in response to a read of the cleartextdata.
 4. The computing device of claim 2, wherein: the first memoryencryption engine is further to (i) read the encrypted data from anencrypted memory coupled to the source component and (ii) perform asecond cryptographic operation related to the encrypted data using thefirst encryption key in response to performance of the cryptographicoperation; the bypass control logic is further to store the encrypteddata in an encrypted memory coupled to the destination component inresponse to bypass of the second memory encryption engine; to performthe cryptographic operation comprises to decrypt the encrypted data torecover cleartext data using the first encryption key and a tweakassociated with the source component in response to a read of theencrypted data; to perform the second cryptographic operation comprisesto encrypt the cleartext data using the first encryption key and a tweakassociated with the destination component; and to transfer the encrypteddata comprises to transfer the encrypted data in response to performanceof the second cryptographic operation.
 5. The computing device of claim1, wherein: the source component comprises the second memory encryptionengine; the destination component comprises the first memory encryptionengine; to transfer the encrypted data comprises to transfer theencrypted data in response to bypass of the second memory encryptionengine; and to perform the cryptographic operation comprises to performthe cryptographic operation in response to transfer of the encrypteddata.
 6. The computing device of claim 5, wherein: the bypass controllogic is to read the encrypted data from an encrypted memory coupled tothe source component; the first memory encryption engine is further tostore cleartext data in a cleartext memory of the destination componentin response to performance of the cryptographic operation; to bypass thesecond memory encryption engine comprises to bypass the second memoryencryption engine in response to a read of the encrypted data; and toperform the cryptographic operation comprises to decrypt the encrypteddata to recover the cleartext data using the first encryption key and atweak associated with the source component.
 7. The computing device ofclaim 5, wherein: the bypass control logic is to read the encrypted datafrom an encrypted memory coupled to the source component; the firstmemory encryption engine is to (i) perform a second cryptographicoperation related to the encrypted data using the first encryption keyin response to performance of the cryptographic operation, and (ii)store the encrypted data in an encrypted memory coupled to thedestination component in response to performance of the secondcryptographic operation; to bypass the second memory encryption enginecomprises to bypass the second memory encryption engine in response to aread of the encrypted data; to perform the cryptographic operationcomprises to decrypt the encrypted data to recover cleartext data usingthe first encryption key and a tweak associated with the sourcecomponent; and to perform the second cryptographic operation comprisesto encrypt the cleartext data using the first encryption key and a tweakassociated with the destination component.
 8. The computing device ofclaim 1, wherein: the bypass control logic is to determine whether tobypass the second memory encryption engine; and the second memoryencryption engine is to perform a second cryptographic operation relatedto the encrypted data using the first encryption key in response to adetermination not to bypass the second memory encryption engine; thesource component comprises the first memory encryption engine; thedestination component comprises the second memory encryption engine; andto transfer the encrypted data comprises to transfer the encrypted datain response to performance of the cryptographic operation.
 9. Thecomputing device of claim 8, wherein: the first memory encryption engineis further to read cleartext data from a cleartext memory of the sourcecomponent; the second memory encryption engine is further to store thecleartext data in a cleartext memory of the destination component inresponse to performance of the second cryptographic operation; toperform the cryptographic operation comprises to encrypt the cleartextdata using the first encryption key in response to a read of thecleartext data; and to perform the second cryptographic operationcomprises to decrypt the encrypted data to recover the cleartext datausing the first encryption key.
 10. The computing device of claim 1,wherein: the bypass control logic is further to determine whether tobypass the second memory encryption engine; and to bypass the secondmemory encryption engine comprises to bypass the second memoryencryption engine in response to a determination to bypass the secondmemory encryption engine.
 11. The computing device of claim 10, whereinto determine whether to bypass the second memory encryption enginecomprises to determine whether to bypass the second memory encryptionengine based on a memory address associated with the encrypted data. 12.The computing device of claim 10, wherein to determine whether to bypassthe second memory encryption engine comprises to determine whether atweak associated with the encrypted data is available to the firstmemory encryption engine.
 13. The computing device of claim 1, wherein:the computing device comprises a processor and an accelerator, whereinthe I/O link is coupled between the processor and the accelerator; thesource component comprises the processor or the accelerator; thedestination component comprises the processor or the accelerator; thefirst memory encryption engine comprises a memory encryption engine ofthe processor or a memory encryption engine of the accelerator; and thesecond memory encryption engine comprises the memory encryption engineof the processor or the memory encryption engine of the acceleratorother than the first memory encryption engine.
 14. A method for securedata transfer, the method comprising: configuring, by the computingdevice, a first memory encryption engine of the computing device and asecond memory encryption engine of the computing device with a firstencryption key; transferring, by the computing device, encrypted datafrom a source component to a destination component via an I/O linkbetween the source component and the destination component, wherein theencrypted data is encrypted with the first encryption key; performing,by the first memory encryption engine, a cryptographic operation relatedto the encrypted data using the first encryption key; and bypassing, bythe computing device, the second memory encryption engine.
 15. Themethod of claim 14, wherein: the source component comprises the firstmemory encryption engine; the destination component comprises the secondmemory encryption engine; transferring the encrypted data comprisestransferring the encrypted data in response to performing thecryptographic operation; and bypassing the second memory encryptionengine comprises bypassing the second memory encryption engine inresponse to transferring the encrypted data.
 16. The method of claim 15,further comprising: reading, by the computing device, cleartext datafrom a cleartext memory of the source component; and storing, by thecomputing device, the encrypted data in an encrypted memory coupled tothe destination component in response to bypassing the second memoryencryption engine; wherein performing the cryptographic operationcomprises encrypting the cleartext data using the first encryption keyand a tweak associated with the destination component in response toreading the cleartext data.
 17. The method of claim 15, furthercomprising: reading, by the computing device, the encrypted data from anencrypted memory coupled to the source component; performing, by thefirst memory encryption engine, a second cryptographic operation relatedto the encrypted data using the first encryption key in response toperforming the cryptographic operation; and storing, by the computingdevice, the encrypted data in an encrypted memory coupled to thedestination component in response to bypassing the second memoryencryption engine; wherein performing the cryptographic operationcomprises decrypting the encrypted data to recover cleartext data usingthe first encryption key and a tweak associated with the sourcecomponent in response to reading the encrypted data; wherein performingthe second cryptographic operation comprises encrypting the cleartextdata using the first encryption key and a tweak associated with thedestination component; and wherein transferring the encrypted datacomprises transferring the encrypted data in response to performing thesecond cryptographic operation.
 18. The method of claim 14, wherein: thesource component comprises the second memory encryption engine; thedestination component comprises the first memory encryption engine;transferring the encrypted data comprises transferring the encrypteddata in response to bypassing the second memory encryption engine; andperforming the cryptographic operation comprises performing thecryptographic operation in response to transferring the encrypted data.19. The method of claim 18, further comprising: reading, by thecomputing device, the encrypted data from an encrypted memory coupled tothe source component; performing, by the first memory encryption engine,a second cryptographic operation related to the encrypted data using thefirst encryption key in response to performing the cryptographicoperation; and storing, by the computing device, the encrypted data inan encrypted memory coupled to the destination component in response toperforming the second cryptographic operation; wherein bypassing thesecond memory encryption engine comprises bypassing the second memoryencryption engine in response to reading the encrypted data; whereinperforming the cryptographic operation comprises decrypting theencrypted data to recover cleartext data using the first encryption keyand a tweak associated with the source component; and wherein performingthe second cryptographic operation comprises encrypting the cleartextdata using the first encryption key and a tweak associated with thedestination component.
 20. One or more computer-readable storage mediacomprising a plurality of instructions stored thereon that, in responseto being executed, cause a computing device to: configure a first memoryencryption engine of the computing device and a second memory encryptionengine of the computing device with a first encryption key; transferencrypted data from a source component to a destination component via anI/O link between the source component and the destination component,wherein the encrypted data is encrypted with the first encryption key;perform, by the first memory encryption engine, a cryptographicoperation related to the encrypted data using the first encryption key;and bypass the second memory encryption engine.
 21. The one or morecomputer-readable storage media of claim 20, wherein: the sourcecomponent comprises the first memory encryption engine; the destinationcomponent comprises the second memory encryption engine; to transfer theencrypted data comprises to transfer the encrypted data in response toperforming the cryptographic operation; and to bypass the second memoryencryption engine comprises to bypass the second memory encryptionengine in response to transferring the encrypted data.
 22. The one ormore computer-readable storage media of claim 21, further comprising aplurality of instructions stored thereon that, in response to beingexecuted, cause the computing device to: read cleartext data from acleartext memory of the source component; and store the encrypted datain an encrypted memory coupled to the destination component in responseto bypassing the second memory encryption engine; wherein to perform thecryptographic operation comprises to encrypt the cleartext data usingthe first encryption key and a tweak associated with the destinationcomponent in response to reading the cleartext data.
 23. The one or morecomputer-readable storage media of claim 21, further comprising aplurality of instructions stored thereon that, in response to beingexecuted, cause the computing device to: read the encrypted data from anencrypted memory coupled to the source component; perform, by the firstmemory encryption engine, a second cryptographic operation related tothe encrypted data using the first encryption key in response toperforming the cryptographic operation; and store the encrypted data inan encrypted memory coupled to the destination component in response tobypassing the second memory encryption engine; wherein to perform thecryptographic operation comprises to decrypt the encrypted data torecover cleartext data using the first encryption key and a tweakassociated with the source component in response to reading theencrypted data; wherein to perform the second cryptographic operationcomprises to encrypt the cleartext data using the first encryption keyand a tweak associated with the destination component; and wherein totransfer the encrypted data comprises to transfer the encrypted data inresponse to performing the second cryptographic operation.
 24. The oneor more computer-readable storage media of claim 20, wherein: the sourcecomponent comprises the second memory encryption engine; the destinationcomponent comprises the first memory encryption engine; to transfer theencrypted data comprises to transfer the encrypted data in response tobypassing the second memory encryption engine; and to perform thecryptographic operation comprises to perform the cryptographic operationin response to transferring the encrypted data.
 25. The one or morecomputer-readable storage media of claim 24, further comprising aplurality of instructions stored thereon that, in response to beingexecuted, cause the computing device to: read the encrypted data from anencrypted memory coupled to the source component; perform, by the firstmemory encryption engine, a second cryptographic operation related tothe encrypted data using the first encryption key in response toperforming the cryptographic operation; and store the encrypted data inan encrypted memory coupled to the destination component in response toperforming the second cryptographic operation; wherein to bypass thesecond memory encryption engine comprises to bypass the second memoryencryption engine in response to reading the encrypted data; wherein toperform the cryptographic operation comprises to decrypt the encrypteddata to recover cleartext data using the first encryption key and atweak associated with the source component; and wherein to perform thesecond cryptographic operation comprises to encrypt the cleartext datausing the first encryption key and a tweak associated with thedestination component.